topic Re: Multiple Deployments - Splunk App for McAfee Web Gateway in All Apps and Add-ons

Multiple Deployments - Splunk App for McAfee Web Gateway

nychawk — Wed, 16 Jul 2014 20:17:15 GMT

I have just installed the McAfee Web Gateway app on Splunk 6.1.2, it's awesome!; thank you Pavel Prostine (http://answers.splunk.com/users/204508/pavelp).

I was wondering what folks are doing for receiving logs and managing/configuring multiple McAfee Web Gateway devices, I will be deploying 75 new ones over the next 6 months.

I am considering sending each MGW device to a regional universal (light) forwarder, who in turn will resend upstream to its assigned indexer/s.

I would like to easily determine which site's MGW has become cause for concern. if I followed the install instructions, then sourcetype=MWGaccess3 would be the same for each one; which might be acceptable. But, if I were to rewrite the XML file that is used to create this, and I renamed MWGaccess3 to MWGaccess-NYC for the NYC MGW, if I saw that sourcetype, I could quickly determine the sources region, and office location.

My questions are:

Does a sourcetype rename like what I've described make sense? Would it create multiple dashboards too? in the end, I would like to have all sites logs aggregated as one.
Is it not advisable to use the same data input (currently using UDP/5514), then send upstream to the same port on the indexer/s? Or should I make the port on the indexer/s different? I am thinking that if I did the above, then here is where I can make them all uniform for sourcetype?

Many thank in advance,

-mi

Re: Multiple Deployments - Splunk App for McAfee Web Gateway

PavelP — Thu, 17 Jul 2014 10:50:40 GMT

Hello nychawk,

the splunk assign a "host" field for every input coming remotely. Based on this field you can add a dashboard filter or add a location field to tables and dashboards.
Additionally you can create a lookup table to be able to see the region where a particular host is located.
I would use the same sourcetype for all logs and filter based on the "host" field instead of creating many different sourcetypes.

Additionally you can consider using TCP instead of UDP.

Best Regards
Pavel

Re: Multiple Deployments - Splunk App for McAfee Web Gateway

nychawk — Thu, 17 Jul 2014 19:40:11 GMT

Thanks Pavel, I will keep it simple, as well as use the "host" field for regional searches.

I will definitely use tcp over udp, I used udp to initially test.

I will be sending my MWG logs to a universal forwarder which will NOT have the MWG app installed; the MWG app will be installed on each of my indexers.

Will this affect behavior? Do I need to enable a separate receive port on my universal forwarders so as to keep MGW data separate from everything else coming in on its assigned port?

Thanks again!

-mi

Re: Multiple Deployments - Splunk App for McAfee Web Gateway

PavelP — Mon, 21 Jul 2014 10:43:56 GMT

Hi! You can send logs directly to splunk using rsyslog via TCP.

You can configure your splunk indexer to listen on separate port exclusive for MWG logs coming in and assign a required sourcetype for this input.

for example:

MWG NewYork (mwg-usa-ny), rsyslog sends logs via TCP:9514 to splunk indexer located in the USA
MWG San Francisco (mwg-usa-sf), rsyslog sends logs via TCP:9514 to splunk indexer located in the USA
MWG London (mwg-eu-lon), rsyslog sends logs via TCP:9514 to splunk indexer located in Europe

on the search head, you can filter based on the host field, for example you can show all US locations using host=mwg-usa-* filter.

Re: Multiple Deployments - Splunk App for McAfee Web Gateway

nychawk — Mon, 21 Jul 2014 13:45:28 GMT

I still intend to send all of my local logs to a univ. forwarder, who will relay to my indexers. Looks like I need to keep my ports unique to MWG, no problem there.

Thanks again for the great app.